Don MacVittie believes we’ve made progress integrating security across the SDLC, but there’s still a ways to go.
The Security Pipeline
Over the last few years, the ability to secure our applications has grown, and deep integration into the DevOps toolchain has, too. There are more tools doing more security checks protecting more of the infrastructure and source than there have ever been. The key is putting them to use intelligently. We now have the ability […]
Turning Off DevSecOps Noise for Functional Fidelity
Analyzing the DevOps and DevSecOps software marketplace demonstrates the high demand for tools and platforms that reduce false positives. As businesses and organizations adopt a rigorous, disciplined software development life cycle and ascribe to strict compliance frameworks, they quickly realize that automated tools can generate a substantial amount of noise, in the form of false […]
Quick! Define DevSecOps: Let’s Call it Development Security
For a good long while, DevSecOps referred specifically to vendors like Veracode that did static application security scanning, dynamic application security scanning, software composition analysis and some form of runtime monitoring (usually interactive scanning). Then we realized that DevSecOps was potentially a lot more than that and, like DevOps, we drove the word to encompass […]
DevSecOps Implementation: Interactive Testing
This is the fourth installment in this series on DevSecOps. Read the first installment, on static analysis, here the second installment, on source composition analysis, here, and the third installment, on dynamic scans, here. Dynamic testing looks at the running application, poking and prodding to see how it reacts to known vulnerabilities. A complete dynamic […]